Security

“This issue is different”: Huobi responds to user phone number leak following the alleged Binance KYC hack

Quick Take

  • Following Binance’s alleged KYC leak last week, several sources told The Block that Huobi users’ information is surfacing on some dark-web markets
  • Huobi claims that most of this information, mainly consisting of phone numbers, is not associated with Huobi users
  • Huobi said these phone numbers may be gathered by hijacking third party messaging service providers and the leak is not due to any security breach on Huobi 

Binance made headlines earlier this month after its users’ personal information was allegedly spread in a Telegram chat, but sources have told The Block that the problems facing the world’s largest cryptocurrency exchange might also hang over other crypto firms. 

Huobi, another crypto exchange with Chinese roots, appears to be in a similar boat as Binance. The exchange’s name constantly surfaces on the dark web markets, where self-proclaimed hackers are selling user information that allegedly belongs to Huobi’s customers.

All roads lead to the Dark Web

On Chinese dark-web markets,  folks can buy alleged Huobi user data for as little as $0.30.

One advertisement on a dark web market selling Huobi user phone numbers

This data supposedly includes phone numbers and text messages users receive when they withdraw from the exchange. 

One seller, who claimed to be a hacker, promised that these phone numbers are “absolutely real” and can yield a high pick-up rate, suggesting that potential scammers can expect responses when reaching out to these numbers. The hacker even added that these phone numbers’ “convert rate is decent for conducting a pyramid scheme.” 

This particular seller, along with some others, also claims to have user data from other less known exchanges such as BIKI, Hetbi, and ZDCoin.  

When reached for comment, Huobi head of marketing Ross Zhang told The Block that at least one of the advertisements are not, in fact, selling user data from Huobi. The exchange ran the data being sold against its own database and found “only a negligible portion of the phone numbers are associated with Huobi accounts.”

“We suspect that the hacker is using Huobi’s name as a gimmick for their own business interests,” said Zhang.

A breach of a messaging service?

The phone numbers that are allegedly associated with Huobi users might have been gathered by means other than hacking the Huobi platform directly. A Huobi spokesperson said that these phone numbers might have been hijacked by breaching a third-party messaging provider, which would explain why some data contains content of verification messages sent by Huobi to users. 

“We understand that due to the recent leak from a major exchange, there are growing concerns regarding the leak of users’ KYC data which contains essential and highly confidential user information. However, this issue is different,” said the spokesperson.